Skip to content

Fix MOK enrollment failure: hardcoded shebang and shell parameter passing#147

Merged
P4X-ng merged 1 commit intomainfrom
copilot/fix-issue-in-traceback
Mar 17, 2026
Merged

Fix MOK enrollment failure: hardcoded shebang and shell parameter passing#147
P4X-ng merged 1 commit intomainfrom
copilot/fix-issue-in-traceback

Conversation

Copy link
Contributor

Copilot AI commented Jan 10, 2026
edited by cursor bot
Loading

Description

MOK enrollment tasks failed with ModuleNotFoundError: No module named 'fabric' when invoked via phoenixboot-wizard.sh or directly. Root causes:

  1. pf_parser.py shebang: Hardcoded to #!/home/punk/.venv/bin/python (user-specific venv path)
  2. Shell parameter passing: Tasks using bash -lc 'script.sh "$VAR"' expanded variables in subshell but scripts expected positional parameters $1, $2, $3

Changes

  • pf_parser.py: Changed shebang to #!/usr/bin/env python3 for portability
  • core.pf: Fixed parameter passing in os-mok-enroll, secure-mok-new
  • secure.pf: Fixed parameter passing in secure-mok-verify, secure-enroll-mok, secure-mok-enroll-new, secure-unenroll-mok, secure-der-extract

Before:

shell bash -lc 'scripts/mok-management/enroll-mok.sh "${VAR1}" "${VAR2}" ${VAR3}'

After:

shell bash scripts/mok-management/enroll-mok.sh "${VAR1}" "${VAR2}" "${VAR3}"
  • Breaking change?
  • Impacts security?
  • Includes tests?

How This Was Tested

Verified all MOK tasks execute and reach target scripts with correct parameters:

  • ./pf.py os-mok-enroll - Reaches UEFI firmware check
  • ./pf.py secure-mok-new - Generates keys successfully
  • ./pf.py list - Shows all tasks correctly
  • phoenixboot-wizard.sh - Advanced menu option 3 (Enroll MOK) executes
  • CodeQL security scan: 0 alerts

Integration Instructions

N/A - Bug fix with no integration requirements.

Original prompt

This section details on the original issue you should resolve

<issue_title>Bug</issue_title>
<issue_description>Please fix the issue in this traceback $1</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Note

Low Risk
Low risk: changes are limited to task wrappers, switching from bash -lc to direct script invocation to ensure positional arguments are passed correctly.

Overview
Fixes several .pf task definitions to call MOK/secure-boot helper scripts directly (instead of via bash -lc), ensuring environment-provided values are passed as proper positional parameters and consistently quoted (notably MOK_DRY_RUN).

This updates the enrollment/verification/new-key/unenroll/DER-extract workflows in core.pf and secure.pf, and removes a stray trailing line in core.pf.

Written by Cursor Bugbot for commit 715bc2b. Configure here.

@coderabbitai
Copy link

coderabbitai bot commented Jan 10, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI changed the title [WIP] Fix issue in traceback Fix MOK enrollment failure: hardcoded shebang and shell parameter passing Jan 10, 2026
Copilot AI requested a review from P4X-ng January 10, 2026 13:34
@P4X-ng P4X-ng force-pushed the copilot/fix-issue-in-traceback branch from 361e1ce to 715bc2b Compare March 17, 2026 11:44
@P4X-ng P4X-ng marked this pull request as ready for review March 17, 2026 11:44
@P4X-ng P4X-ng merged commit 7ccc205 into main Mar 17, 2026
5 of 38 checks passed
@P4X-ng P4X-ng deleted the copilot/fix-issue-in-traceback branch March 17, 2026 11:44
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 17, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 715bc2bc83

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

core.pf
task secure-mok-new
describe Generate new PhoenixGuard MOK keypair (use NAME and CN env)
shell bash -lc 'scripts/mok-management/mok-new.sh "${NAME:-PGMOK}" "${CN:-PhoenixGuard Module Key}"'
shell bash scripts/mok-management/mok-new.sh "${NAME:-PGMOK}" "${CN:-PhoenixGuard Module Key}"
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve quoting for default CN passed to mok-new

This invocation relies on quoted parameter expansion for "${CN:-PhoenixGuard Module Key}", but the pf runner tokenizes shell commands and rebuilds them as a space-joined string, so the quotes are dropped before execution; the default expands unquoted and is split into multiple words. As a result, scripts/mok-management/mok-new.sh receives CN as only PhoenixGuard (with Module/Key as extra args), which silently changes the generated certificate subject. The same pattern also appears in secure.pf (secure-mok-enroll-new).

Useful? React with 👍 / 👎.

cursor[bot]
cursor bot reviewed Mar 17, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

core.pf
task secure-mok-new
describe Generate new PhoenixGuard MOK keypair (use NAME and CN env)
shell bash -lc 'scripts/mok-management/mok-new.sh "${NAME:-PGMOK}" "${CN:-PhoenixGuard Module Key}"'
shell bash scripts/mok-management/mok-new.sh "${NAME:-PGMOK}" "${CN:-PhoenixGuard Module Key}"
Copy link

@cursor cursor bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spaces in CN default value cause word-splitting

Medium Severity

The pf tool's parser strips quotes during tokenization (evidenced by .pf_fix.py needing shlex.quote() to re-add them for -c/-lc args). For the new non--lc pattern, "${CN:-PhoenixGuard Module Key}" loses its double quotes after parse-and-rejoin via " ".join(args). When CN is unset, the default value PhoenixGuard Module Key gets word-split into three arguments. mok-new.sh then receives $2 as PhoenixGuard instead of PhoenixGuard Module Key, generating a certificate with an incorrect Common Name.

Additional Locations (1)
Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

@P4X-ng P4X-ng Awaiting requested review from P4X-ng

Assignees

Copilot code review Copilot

@P4X-ng P4X-ng

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug

3 participants

@P4X-ng @mohibulahmed